Government Proposes New Laws In Cyber Security Review

uk cybersecurity lock ©shutterstock Borislav Bajkic

New measures proposed to bolster the resilience of British businesses facing an ever growing number of cyber attacks

NIS regulation update

The government wants to update the NIS Regulations and widen the list of companies in scope to include Managed Service Providers (MSPs) which provide specialised online and digital services.

MSPs include security services, workplace services and IT outsourcing.

These firms are crucial to boosting the growth of the country’s £150.6 billion digital sector and have privileged access to their clients’ networks and systems.

The government is therefore launching a consultation on amending the NIS regulations which includes proposals to:

  • Expand the scope of the NIS Regulations’ to include managed services. These are typically provided by companies which manage IT services on behalf of other organisations.
  • Require large companies to provide better cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO, including a requirement to notify regulators of all cyber security attacks they suffer, not just those which impact their services.
  • Give the government the ability to future-proof the NIS regulations by updating them and if necessary bring into scope more organisations in the future which provide critical support to essential services.
  • Transfer all relevant costs incurred by regulators for enforcing the NIS regulations from the taxpayer to the organisations covered by the legislation to create a more flexible finance system and reduce the taxpayers’ burden.
  • Update the regulatory regime so the most critical digital service providers in the economy have to demonstrate proactively they are following NIS Regulations to the ICO, and take a more light-touch approach with the remaining digital providers.

“I welcome these proposed updates to the NIS regulations, which will help to enhance the UK’s overall cyber security resilience,” said NCSC Technical Director Dr Ian Levy. “These measures will ensure that cyber security risks are properly managed by organisations and those on whom they rely.”

Cyber skills

The government is also seeking to address the shortage of much needed cyber skills.

It is looking to the government established and funded UK Cyber Security Council, the independent body whose role is to lead the cyber workforce and put it on a par with established professions such as engineering.

skills gap

The government proposals seek to give the council the ability to define and recognise cyber job titles and link them to existing qualifications and certifications.

People would have to meet competency standards set by the council before they could utilise a specific job title across the range of specialisms in cyber security.

This would make it easier for employers to identify the specific cyber skills they need in their organisations and create clearer information on career pathways for young people as well as existing practitioners, without providing unnecessary barriers to entry and progression.

The proposals include the creation of a Register of Practitioners, similar to what exists in the medical and legal professions, setting out the practitioners who are recognised as ethical, suitably-qualified or senior.

“The UK Cyber Security Council is delighted that these proposals recognise our cyber workforce lead role that will help to define and recognise cyber job roles and map them to existing certifications and qualifications,” said Simon Hepburn, CEO, UK Cyber Security Council.

“We look forward to being involved in and contributing to this important government consultation and would encourage all key stakeholders to participate too.”

Reaction

The UK government’s announcement of a cybersecurity and regulations review has drawn a reaction from experts in the cyber security sector.

Ilkka Turunen, Field CTO of software security specialist Sonatype for example welcomed the review’s focus on supply chain security, but is concerned by the lack of attention given to open source and software supply chain security specifically.

“The UK government’s move to bolster cyber resilience is long overdue,” said Turunen. “However, today’s review overlooks one of the most pressing challenges facing businesses today – open source security as a part of the supply chain.”

“Despite open source components forming the foundations of our digital economy – comprising 80-90 percent of the code in modern applications – there is not a single reference to open source in the 11,000+ word document,” noted Turunen. “Until significant emphasis is put on improving open source practices on a national level, the government is unlikely to deliver on its objectives.”

“While the government has rightly recognised the importance of digital supply chain security at large, in neglecting to mention, or more importantly understand the use of open source in software development, it has ignored the significant threat posed by the careless use of the software supply chain itself,” said Turunen.

“The Log4j vulnerability that set the Internet ablaze in recent weeks demonstrates the far reach and relative opaqueness of open source adoption,” said Turunen. “It is now a matter of extreme urgency and the UK must move quickly to introduce measures in line with those being implemented in the US to ensure companies know what’s in their software.”

“Minimally, organisations must create and continuously update a software bill of materials (SBOMs),” said Turunen. “Acting like a list of ingredients for software, SBOMs require businesses to know which third-party components are in their applications, enabling them to more quickly identify any risks present and mitigate the impact of supply chain attacks. This is something acknowledged by the Biden administration, and which the UK government should urgently look to emulate.”

“Failure to move beyond awareness-building and implement practical software supply chain security measures leaves the UK in a precarious position,” Turunen concluded. “Both the government and businesses need to take responsibility for securing the software supply chain. Only then will companies be able to truly improve their cyber resilience.”